Date: 17-Feb :38

Transcription

1 Date: 17-Feb :38

2 Copyright Copyright(c) ThreatSTOP, Inc. All Rights Reserved NOTICE: All information contained herein is, and remains the property of ThreatSTOP, Inc. and its suppliers, if any. The intellectual and technical concepts contained herein are proprietary to ThreatSTOP, Inc. and its suppliers and certain aspects thereof are protected by United States Patent No. 8,533,822 and United States Patent No. 8,869,237, and are protected by trade secret or copyright law. US Government Entities: The ThreatSTOP service, software and documentation, as applicable, are "commercial computer software" and "commercial computer software documentation" developed exclusively at private expense by Threatstop, Inc. ("Threatstop"). Pursuant to FAR or DFARS and their successors, as applicable, use, reproduction and disclosure of the software and documentation is governed by the terms of Threatstop's commercial agreement. 2

3 Table of Contents Overview 5 Step-by-step guide 6 In the ThreatSTOP Portal 6 In the DNS Firewall Device 7 Logging and Restarting the Service 11 Sending Log Information to More Than One Destination 14 Testing 15 Index 16 3

4 Integrating with an Existing BIND 9.8+ Deployment 4

5 Overview The purpose of this document is to describe the integration process for ThreatSTOP DNS Firewall into an existing BIND 9.8+ deployment. This document is written under the condition that you have an existing DNS deployment and are looking to add the ThreatSTOP DNS Firewall to your existing network infrastructure. This is done by placing the DNS Firewall between your existing DNS configuration and your external connection. This will allow ThreatSTOP DNS Firewall to guard against hostile connections. A birds-eye view of the setup procedure is: Open a ThreatSTOP account if you have not already done so. Specify that you are setting up a DNS Firewall in order to receive any needed materials. In the Device section of the Portal, configure a new device with the following settings: Manufacturer: DNS Server Model: BIND 9.8+ Note: More information about setting up Devices in the Portal can be found in the Introduction You will then need to configure the rest of the Portal to service a ThreatSTOP DNS Firewall as explained in ThreatSTOP DNS Firewall. Configure BIND itself to act as a slave server for the zone that contains your policy. 5. Configure the client machines to be protected to use the ThreatSTOP DNS Firewall for address resolution. 5

6 Step-by-step guide The following steps will walk you through the configuration of BIND to serve you ThreatSTOP DNS Firewall. Note that these steps begin after the account creation process has finished. In the ThreatSTOP Portal 1. In the ThreatSTOP portal add a DNS Firewall policy. To do this: Click on Policies & Lists. Then on the DNS FW Policy tab. Select + Add Policy. Set a Policy name: in the corresponding field. If you want to change the default behavior of the RPZ Target Lists being used set it in the Default Behavior field. Note: The available behaviors are: NXDOMAIN NODATA PASSTHRU DROP Select the RPZ Target Lists you want to block. For our example we'll use the BASIC list with the default behavior. If you want a specific list to be treated differently from other included lists, change the Behavior dropdown to the desired action. Caution: This dropdown will override the Default Behavior field. Click on Submit to save your changes. 6

7 2. Click on Devices and then on + Add Device. Enter a Nickname for the device, this should probably be something descriptive of the device. Set the Manufacturer and Model to: Manufacturer: DNS Server Model: BIND 9.8+ Set the IP Type as defined by your network needs. Warning: Using a Dynamic IP address is far outside of best practices and is not recommended. Unexpected results can occur if this setting is used. The IP Address of the device is the external IP address (unsecured side of the firewall). This can be determined by visiting: Select the DNS Firewall policy you defined previously in the Policy drop down. In the DNS Firewall Device Login to the device as normal. Change to the BIND configuration directory cd /etc/bind Enter cat named.conf Verify that named.conf contains the following lines. If they are not present they will need to be added to the file: 5. /etc/bind/named.conf.options /etc/bind/named.conf.local After verifying that named.conf has the needed entries (or adding the same) you will need to adjust named.conf.options. To do this: Enter sudo vi named.conf.options Then add the following to the file: response-policy { zone "<RPZ Zone Name>"; 6. You'll also need to add the following information to named.conf.local 7

9 channel named-rpz { file "/var/log/named/rpz.log"; severity debug; print-time yes; category rpz { named-rpz; Note: Eventually you'll want to change allow-query to something similar to the following: allow-query { localhost; our_clients; You can then add a section similar to the following above the zone policy definition: acl our_clients { /24; This will allow your internal client DNS servers to update their lists based on our RPZ data. 7. After adding the information above to named.conf, you will need to add the following line into a file called logrotate-ts in the /etc/cron.hourly/ directory. To do this enter the following from the command prompt: Type cd /etc/cron.hourly and press ENTER. Type sudo vi logrotate-ts and press ENTER. This may require you re-enter your login password. Tap the i key to enter Insert mode. Add the opening statement #!/bin/sh and tap ENTER Type /usr/sbin/logrotate -f /etc/logrotate.d/threatstop Tap Esc, then press :wq and ENTER 9

10 8. The following commands will setup the directory structure for deployment, and set the appropriate permissions for each directory: sudo mkdir /var/cache/bind/zones sudo chmod 755 /var/cache/bind/zones sudo chown bind:bind /var/cache/bind/zones sudo mkdir /var/log/named sudo chmod 755 /var/log/named sudo chown bind:bind /var/log/named This will be useful if you decide to uninstall, and choose to remove BIND completely. 9. Finally, enter sudo service bind9 restart and press ENTER. Note: sudo is not required for users logged in with administrative privileges. 10

11 Logging and Restarting the Service After configuring the BIND server to use ThreatSTOP's Threat Intelligence lists, you can start sending your logs to ThreatSTOP, which will then be used to help re-enforce our community's Threat Intelligence. Before starting in on this section, certain prerequisites need to be met: Your system will need to be configured to run logrotate, and must have curl, stat, md5sum, and cut utilities. Note: The following packages are available for these utilities on Ubuntu 14.04: curl: sudo apt-get install curl logrotate: sudo apt-get install logrotate stat, md5sum, and cut are all part of the core Ubuntu distribution, and should automatically install with the OS. After ensuring these programs are present you can start uploading logs back to ThreatSTOP using logrotate to do this: 1. Change directory to the logrotate.d folder and create a new file called threatstop cd /etc/logrotate.d sudo vi threatstop 11

13 4. Enter sudo service bind9 reload and press ENTER. Note: sudo is not required for users logged in with administrative privileges. 13

14 Sending Log Information to More Than One Destination The configuration above will upload the rotated file to ThreatSTOP and if specified wherever the second command in the postrotate section sends it. If the data is to be sent to a syslog server however, the process is simplified by adding a second BIND channel in rpz.log as shown in the configuration below: /etc/bind/named.conf(.local) logging { channel remote_syslog_rpz { syslog local4; severity debug; print-time yes; category rpz { named-rpz; remote_syslog_rpz; Follow this up with forwarding the syslog configuration to the SIEM (based on your setup). For example, with rsyslog: /etc/rsyslog.d/50-default.conf 14

15 Testing To test that your configuration is up and running you'll need to setup a temporary test policy in the ThreatSTOP portal. Any policy added to this list should have the RPZ behavior set to NXDOMAIN or DROP. After setting this: 1. Go to known good website (i.e., to verify that you are able to connect. 2. Go to a known bad website (i.e., bad.threatstop.com). Based on your testing policy's settings you should receive a rejection screen (for NXDOMAIN) or have your connection time out (DROP). 15

DEPLOY A DNS SERVER IN A SECURE WAY BIND (Berkeley Internet Name Domain) is one of the more widely used DNS servers. This article guides readers on how to deploy a BIND DNS server in a secure way by implementing

DNS Configuration Guide Open Telekom Cloud www.telekom.de/opentelekomcloud For this guide we assume that two subnets are already configured. In our example the subnets are called subnet_dns01 (in AZ eu-de-01)

Software Token Installation and User Guide 22 September 2017 Notices Following are policies pertaining to proprietary rights and trademarks. Proprietary Rights The information contained in this document

Secured Dynamic Updates Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 Snapshot code is available for this BIND 9.2 can perform most of the dynamic update

Centrify Infrastructure Services Evaluation Guide for Windows November 2017 (release 2017.2) Centrify Corporation Legal notice This document and the software described in this document are furnished under

COLD WALLET + MASTERNODE SETUP ON LINUX This tutorial shows the steps required to setup your Magnet masternode on a Linux system while running a local cold wallet (Windows system here). Let s get started!

CA GovernanceMinder CA IdentityMinder Integration Guide 12.6.00 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

vcloud Request Manager 1.0.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

Installing Enterprise Switch Manager ATTENTION Clicking on a PDF hyperlink takes you to the appropriate page If necessary, scroll up or down the page to see the beginning of the referenced section NN47300-300

DNS IP Addresses Domain Names Domain Name System The Domain Name Hierarchy Components of a Domain Name How DNS Works DNS Name Resolution Configuring DNS on it20 IP Addresses For a computer to talk to the

PrimoPDF Version 4.0 User Manual Totally Free PDF Creation because It's everbody's PDF Brought to you by NOTICE TO USER: THIS IS A CONTRACT. BY INSTALLING THIS SOFTWARE YOU ACCEPT ALL THE TERMS AND CONDITIONS

CA Agile Vision and CA Product Vision Integration Guide Spring 2012 This documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

unisys Agile Business Suite How to Install Visual Studio 2013 for AB Suite 5.0 Applies to: Developer 5.0 January 2015 NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information

GIT A free and open source distributed version control system User Guide January, 2018 Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Table of Contents What is

Dell SupportAssist Version 2.1 for Dell OpenManage Essentials Quick Setup Guide Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.

Clearwell ediscovery Platform Utility Node Guide 7.1.2 Fix Pack 2 Clearwell ediscovery Platform : Utility Node Guide The software described in this book is furnished under a license agreement and may be

Agilent ChemStation ECM Interface Guide Agilent Technologies Notices Agilent Technologies, Inc. 2004, 2005-2007 No part of this manual may be reproduced in any form or by any means (including electronic

Arcserve Backup for Windows Agent for Sybase Guide r17.0 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

1 Kollaborate Server Installation Guide Kollaborate Server is a local implementation of the Kollaborate cloud workflow system that allows you to run the service in-house on your own server and storage.

User's Guide PMOD Installation on MacOSX Systems Version 3.5 PMOD Technologies Mac OS X Installation The installation for all types of PMOD systems starts with the software extraction from the installation

VMware vfabric Data Director Installation Guide vfabric Data Director 2.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by

Intel Small Business Extended Access Deployment Legal Notices and Disclaimers Disclaimers INTEL CORPORATION MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE

May 2012 View Client for Mac This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions

Dell SupportAssist for PCs and Tablets User s Guide Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates

Oracle Responsys Getting Started Guide Managing Your Oracle Responsys Marketing Platform Cloud Services E79980-13 The most current release of this document is available at the following location on the

Primavera Portfolio Management 9.0 What s New Copyright 1999-2011, Oracle and/or its affiliates. The Programs (which include both the software and documentation) contain proprietary information; they are

Administrator's Guide EPMWARE Version 1.0 EPMWARE, Inc. Published: July, 2015 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless

Installation Manual NXP reserves the right to change the detail specifications as may be required to permit improvements in the design of its products. 2016 Freescale Semiconductor, Inc. 2017 NXP All rights

This section describes the new and updated features and functionality included in Version 6.2.1. Note that only the Firepower 2100 series devices support Version 6.2.1, so new features deployed to devices

Bitnami Ruby for Huawei Enterprise Cloud Description Bitnami Ruby Stack provides a complete development environment for Ruby on Rails that can be deployed in one click. It includes most popular components

CA Nimsoft Service Desk Enabling Email Integration 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation